Group Signatures [CH91] allow a member to anonymously and - PowerPoint PPT Presentation

E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND ITS A PPLICATION TO G ROUP S IGNATURES WITH E FFICIENT D ISTRIBUTED T RACEABILITY Essam Ghadafi (Presented by Enrique Larraia) ghadafi@cs.bris.ac.uk University of Bristol Latincrypt 2014 E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . .

O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 A D ISTRIBUTED T AG -B ASED E NCRYPTION S CHEME 3 G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED 4 T RACEABILITY I NSTANTIATIONS IN THE S TANDARD M ODEL 5 S UMMARY 6 E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . .

G ROUP S IGNATURES Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group. msk tsk TM GM Sig Sig Signer ID Sig Sig Group E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 1 F IGURE : A Group Signature

H ISTORY AND R ELATED WORK Group Signatures introduced by Chaum and van Heyst [CH91]. Extensive existing work include: • Security Definitions (Static Groups) by Bellare et al. [BMW03]. • Security Definitions (Dynamic Groups) by Bellare et al. [BSZ05]. • Opening Soundness by Sakai et al. [SSE+12]. • Many constructions, e.g. [CS97,CM98,BBS04,KY05, BW06,BW07,DP06,G07,BB08, . . . ]. • Either informal or constructions meeting weaker security notions for distributed traceability, e.g. [FY04, BCL+08]. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 2

S ECURITY OF G ROUP S IGNATURES Besides correctness, the security requirements [BSZ05] are: Anonymity: Signatures does not reveal the identity of the member. Traceability: All signatures trace to a member in the group. Non-Frameability: No one can accuse an honest member of producing a signature she did not produce. • Protects against a corrupt tracing manager, i.e. T M must prove his decision. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 3

T HE P ROBLEM Issue: The Tracing Manager has strong power which it can abuse! Solution: Distribute the tracing capability among n authorities as considered by other works, e.g. [FY04,ZLM+08]. Challenge: Realizing distributed traceability efficiently + strong security: • Full (i.e. CCA ) anonymity. • Concurrent Join protocol, i.e. 1 round. • Non-frameability against dishonest tracing managers. • Tracing soundness. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 4

O UR C ONTRIBUTION 1 A security model for dynamic group signatures with distributed traceability. 2 A generic construction for dynamic group signatures with distributed traceability. 3 Efficient instantiations in the standard model. 4 Efficient instantiations of distributed/threshold tag-based encryption scheme in the standard model. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 5

G ROUP S IGNATURES WITH D ISTRIBUTED T RACEABILITY tsk 1 tsk n msk ... TM 1 TM n GM Sig Sig Signer ID Sig Sig Group F IGURE : A Group Signature with Distributed Traceability E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 6

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Anonymity: Signatures do not reveal who signed them. AddU BTL AddU CrptU gpk, msk, {tsk_i} i BTL CrptU ∈ SndU SndU uid 0 , uid 1 , m WReg WReg Ch ModifyReg RevealU Ch ModifyReg RevealU b←{0,1} Σ b←{0,1} TraceShare TraceShare Trace Trace b * • Adversary wins if: b = b ∗ . ◮ Captures full key exposure. ◮ Adversary can learn κ − 1 tracing shares of Σ . E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 7

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Traceability: All signatures trace to a member in the group. gpk, {tsk_i} AddU AddU CrptU CrptU SndM SndM RevealU RevealU Sign Sign Σ * ,m * RReg RReg Adversary wins if: • Σ ∗ verifies on m ∗ and either: Σ ∗ is untraceable, i.e. an invalid share or TraceVerify does not accept. Σ does not open to a signer in the group. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 8

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it. gpk, msk, {tsk_i} Sign Sign CrptU CrptU SndU SndU WReg WReg RevealU m * , Σ * , uid * , θ * RevealU Trace Adversary wins if all the following holds: • Σ ∗ verifies on m ∗ and was not obtained from the Sign oracle. • Θ ∗ Trace is accepted by TraceVerify . • uid ∗ is honest. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 9

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Tracing Soundness: Even if all entities are corrupt, they cannot produce a signature that traces to different members. gpk, msk, {tsk_i} CrptU CrptU WReg WReg m * ,Σ * ,uid *1 ,θ * Tace1 ,uid *2 ,θ * Tace2 Adversary wins if all the following holds: • Σ ∗ verifies on m ∗ . • Θ ∗ Trace 1 and Θ ∗ Trace 2 are accepted by TraceVerify . • uid ∗ 1 � = uid ∗ 2 � = ⊥ . E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 10

D ISTRIBUTED /T HRESHOLD T AG -B ASED E NCRYPTION ◮ Selective-Tag weakly IND-CCA DTBE: n decryption servers each with a secret/verification key pair ( sk i , svk i ) . n -out-of- n : A ciphertext can be decrypted only if all n servers compute their shares correctly. (One can have k -out-of- n instead). Desirable Properties: • Public Verifiability: Well-formedness of ciphertexts is publicly verifiable. • Non-Interactiveness: Decryption requires no interaction among the servers. • Robustness: Invalid decryption shares can be identified by the combiner. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 11

D ISTRIBUTED /T HRESHOLD T AG -B ASED E NCRYPTION DTBE Setup ( 1 λ , n ) : Outputs pk , � svk = ( svk 1 , . . . , svk n ) and � sk = ( sk 1 , . . . , sk n ) . Enc ( pk , t , m ) : Outputs a ciphertext C dtbe . IsValid ( pk , t , C dtbe ) : Outputs 1 if the ciphertext is valid under the tag t . ShareDec ( pk , sk i , t , C dtbe ) : Outputs the i-th server decryption share ν i or ⊥ . ShareVerify ( pk , svk i , t , C dtbe , ν i ) : Outputs 1 if the decryption share ν i is valid or 0 otherwise. Combine ( pk , { svk i } n i = 1 , { ν i } n i = 1 , C dtbe , t ) : Outputs either m or ⊥ . E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 12

D ISTRIBUTED /T HRESHOLD T AG -B ASED E NCRYPTION S ECURITY OF DTBE ST-wIND-CCA: Similar to IND-CCA for PKE but the adversary: 1 Must choose the target tag t ∗ before it gets pk . 2 Cannot ask for decryption queries on ciphertexts under t ∗ . Decryption Consistency: A ciphertext cannot be opened in two different ways. E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 13

(P RIME -O RDER ) B ILINEAR G ROUPS G , ˜ G , T are finite cyclic groups of prime order p . G := � G � and G := � ˜ ˜ G � . Pairing ( e : G × ˜ G − → T ) : The function e must have the following properties: Bilinearity: ∀ H ∈ G , ∀ ˜ H ∈ ˜ G , ∀ x , y ∈ Z , we have e ( H x , ˜ H y ) = e ( H , ˜ H ) xy . Non-degeneracy: e ( G , ˜ G ) � = 1. e is efficiently computable. Type-III [GPS08]: G � = ˜ G and no efficiently computable isomorphism between G and ˜ G . E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 14

O UR D ISTRIBUTED /T HRESHOLD T AG -B ASED E NCRYPTION Based on Kiltz scheme [Kil06] and its threshold variant [AT09] but ours is more efficient as it is in asymmetric groups. D EFINITION (DLIN G ) Given a bilinear group P and ( H , V , U , R , S , T ) = ( G h , G v , G u , G rh , G sv , G ut ) ∈ G 6 is t = r + s ? D EFINITION (E XTERNAL DLIN (XDLIN G ) [A BE et al . 2012]) Same as DLIN G but include the tuple ( H , V , U , R , S ) in ˜ G in the input as well. Idea of Construction: Convert [AT09] into Type-III setting and base it on XDLIN G instead of DLIN G . E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 15

O UR D ISTRIBUTED /T HRESHOLD T AG -B ASED E NCRYPTION Setup ( 1 λ , n ) : • h , w , z , { u i } n i = 1 , { v i } n i = 1 ← Z p . • u := � n i = 1 u i , v := � n i = 1 v i , ( H , ˜ H ) := ( G h , ˜ G h ) , ( U , ˜ U ) := ( H u , ˜ H u ) , ( V , ˜ 1 v , ˜ 1 v ) , V ) := ( U U ( W , ˜ W ) := ( H w , ˜ H w ) , ( Z , ˜ Z ) := ( V z , ˜ V z ) . • Server Secret Key is sk i := ( u i , v i ) . • Server Verification Key is svk i := ( ˜ U i := ˜ H u i , ˜ V i := ˜ V v i ) . • Public Key is pk := ( P , H , ˜ H , U , ˜ U , V , ˜ V , W , ˜ W , Z , ˜ Z ) . Enc ( pk , t , M ) : • r 1 , r 2 ← Z p . • C 1 := H r 1 , C 2 := V r 2 , C 3 := MU r 1 + r 2 , C 4 := ( U t W ) r 1 , C 5 := ( U t Z ) r 2 . � � ∈ G 5 . • C dtbe := C 1 , C 2 , C 3 , C 4 , C 5 • To check validity of C dtbe , check U t ˜ e ( C 1 , ˜ W ) = e ( C 4 , ˜ H ) and e ( C 2 , ˜ U t ˜ Z ) = e ( C 5 , ˜ V ) E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 16

O UR D ISTRIBUTED /T HRESHOLD T AG -B ASED E NCRYPTION ShareVerify ( pk , svk i , t , C dtbe , ν i ) : • Parse svk i as (˜ U i , ˜ V i ) , ν i as ( C i , 1 , C i , 2 ) and C dtbe as ( C 1 , C 2 , C 3 , C 4 , C 5 ) . • Return 1 iif C dtbe is valid and e ( C i , 1 , ˜ H ) = e ( C 1 , ˜ U i ) and e ( C i , 2 , ˜ V ) = e ( C 2 , ˜ V i ) . ShareDec ( pk , sk i , t , C dtbe ) • Return ⊥ if C dtbe is invalid. • Parse C dtbe as ( C 1 , C 2 , C 3 , C 4 , C 5 ) and sk i as ( u i , v i ) . • Return ν i := ( C i , 1 := C u i 1 , C i , 2 := C v i 2 ) . Combine ( pk , { svk i } n i = 1 , { ν i } n i = 1 , C dtbe , t ) : • Return ⊥ if C dtbe or any of the shares ν i are invalid. C 3 • M := i = 1 C i , 1 C i , 2 . � n E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND . . . 17